Split Tunnel VPN to bypass Chinese Sensorship

Posted on 2014-01-08
Last Modified: 2014-01-14
My company has an office in China.  The great firewall of China often gets in the way of our western employees accessing sites that they need to work.  Some sites are completely blocked, others have their capability degraded to the point where they can be hardly used (such as Gmail).

We have a Sonicwall TZ170 in both Ottawa, Canada and Dongguan, China.  We have a VPN connection established between the sites.  I have tried routing all the traffic from Dongguan to Ottawa and this works, but it is far too slow to be practical.  

I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?

Also, we have used various VPN services on the client machines and these work well.  But I would rather have something centrally managed.  Is there a way to route specific traffic through a 3rd party VPN?

Running Windows 2012 servers pretty much through and through.
Question by:encoad
  • 2
LVL 69

Expert Comment

ID: 39766723
» Is there a way to route specific traffic through a 3rd party VPN?
Usually the answer has to be "no". VPN clients are not intended to route traffic. I've managed to force Cisco (IPSec) VPN client and Windows RRAS into proper routing (see for details). Most other VPN clients do not use a virtual network interface you can see in RRAS, and so that will not work for them.

» I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?
Difficult to achieve. You'll have to route on target IP address. Unless the SonicWALL supplies wildcard routing via policy-based routing, to redirect all *.com, for example.

Author Comment

ID: 39766769
Is there some (relatively) inexpensive hardware that can help me achieve what I want? (either replacing or supplementing the Sonicwall).

The Sonicwall handle wildcard netmasks, but cannot do anything with specific domains.

We use VPN connections like PureVPN which works great, but I need this at the network level as opposed to the client level.

In my dreamworld, all domains owned by Google would go through PureVPN for example.
LVL 69

Expert Comment

ID: 39766855
Nothing you can set up easily will help you in your mission. And I can't tell anything about PureVPN - the info they provide is confusing, but the protocols they use would all allow for routing, if the client does. If it works with the MS VPN (PPTP, SSTP, L2TP/IPSec) or the default Open Source OpenVPN client, making a Windows machine a router is feasible.

Still all solutions would require you to divert by IP addresses, not names. And that is the main issue. But Google US has some fixed IP ranges, so that would be managable. You would have to define the specific routing on a single point, best on your default gateway, and that usage would be transparent, no need to set up more on clients.

IDK, but a Web Proxy could also be able to apply domain specific rules - maybe even routing.
LVL 20

Accepted Solution

carlmd earned 500 total points
ID: 39767662
Take a look at the following. Even though it is older, it should help you route the traffic.

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now